Upload
adelia-may
View
228
Download
1
Tags:
Embed Size (px)
Citation preview
Enclave Security: Secure Configuration Management (SCM)
David HoonDISA PEO-MASCM PMOhttp://www.disa.mil/scm
Unclassified
UNCLASSIFIED
UNCLASSIFIED
The information provided in this briefing is for general information purposes only. It does not constitute a commitment on behalf of the United States Government to provide any of the capabilities, systems or equipment presented and in no way obligates the United States Government to enter into any future agreements with regard to the same. The information presented may not be disseminated without the express consent of the United States Government
2
UNCLASSIFIED
UNCLASSIFIED3
Agenda
• SCM Introduction• SCM Lifecycle• SCM Objectives• SCM Community Model• Current Capability Framework• Governance Model• Capability Program Map• NSA SCM R&D Focused Efforts• SCM Programs
• CMRS• DPMS• IAVM
UNCLASSIFIED
UNCLASSIFIED4
IntroductionSecurity-focused Configuration Management (SecCM) is
defined as:“the management and control of configurations for information systems to enable security and facilitate the management of information security risk.” (NIST SP 800-128)
PROGRAM OBJECTIVES: The DoD SCM Program is the integration and optimization of enterprise IA applications, tools, and
data standards to support automated processes used to support risk management and near-real time awareness.
Enable Information System Monitoring as part of DoD’s Continuous Monitoring Strategy – supporting the initial data sets of assets, system configurations, and vulnerabilities (FISMA reporting requirements).
PROGRAM CAPABILITIES: Leverage inherent SCM capabilities used within CC/S/As Provide pervasive enterprise capabilities and interfaced automated capabilities based on common
data standards to enhance and accelerate CC/S/As ability to: Identify assets Check system configuration compliance against policies and standards Search for potential vulnerabilities Act on known vulnerabilities for known risk posture for system/networks Report status & share information with those that need to knowConfigure assets securely; Maintain secure Configurations;
Provide continuous situational awareness to the right people
UNCLASSIFIED
UNCLASSIFIED
Why SCM?
The Enterprise Today:• Difficult to maintain secure configurations: high level of
effort, diminished return on investment• Disparate IA tool sets: proprietary capabilities,
disconnected and stand-alone configurations• Manual reporting: resource intensive, slow, and limits
trusted situational awareness
The Future Enterprise:• Automated, end-to-end security compliance process• Standardized and validated toolsets connected throughout
the enterprise• Continuous reporting to improve data integrity and validity
5
UNCLASSIFIED
UNCLASSIFIED7
• The SCM Program implements published standards, using validated tools and employs standardized interfaces to realize essential Secure
Configuration capabilities.
• Standards: Secure Configuration Automation Protocol (SCAP). A NIST-developed, industry-adopted set of standards supporting interoperability and automated data exchange. Extended to include standard data formats for reporting asset and summary information.
• Tools: Commercial-off-the-Shelf (COTS) and Government-off-the-Shelf (GOTS) tools validated as conforming to SCAP standards.
• Interfaces: Leverage SCAP and emerging standards (Asset Report Format (ARF) / ARF Summary Report (ASR)) to distribute asset data by defining data input and output formats for SCAP-validated tools
• Capabilities: Content/Policy development; Asset Inventory/Discovery; Security State Analysis/Risk Assessment; and Risk Mitigation
SCM Program Objectives
UNCLASSIFIED
UNCLASSIFIED
Automated STIGs Automated STIG & IAVM Benchmarks (with OVAL) available:
• Windows XP• Windows Vista• Windows 2003 Domain Controller & Member Server• Windows 2008 Domain Controller & Member Server• Windows 7 • Windows 2008R2• Red Hat 5• Solaris 9 (x86 and sparc)• Solaris 10 (x86 and sparc)• HP-UX 11.23• HP-UX 11.31• AIX 5.3• AIX 6.1• Windows IAVM 2009, 2010, 2011, 2012 * PKI restricted• IE8• IE9
http://iase.disa.mil/stigs/scap/index.html10
UNCLASSIFIED
UNCLASSIFIED11
ESSG
CCWG
OWG – SCM(CSIP, IAVM, Continuous Monitoring, Risk Scoring, C&A. Mission Assurance)
TWGNetwork Scanning
TWGNetwork Mapping
TWGContinuous Monitoring
TWGRisk Scoring
TWGPolicy and
Remediation
Enterprise Acquisition Approval
Enterprise Capability Release
Board
SCM CCB
Program CCB
SCM Governance Model
UNCLASSIFIED
UNCLASSIFIED
SCM R&D FOCUS AREAS (FY13 - FY17) SCM in Mobile Environment: Develop SCM capabilities for mobile and wireless devices.
Mobile Device Manager Dynamic Policy Generation (supports BYOD) Mobile Application Store
Automated Remediation: Develop remediation policies allowing centralized control and decentralized execution of remediation COTS Remediation Tools Remediation Standard Group Policy Fixes Policy-Driven Automated Course-of-Action (ACoA)
Collect Configuration Data from Human Sensors: Develop automated capabilities to collect IT asset and configuration relevant data from human sensors (i.e., Open Checklist Interactive Language/OCIL, part of the SCAP protocol suite) Certification and Accreditation Non-Automated STIG Checks Training CCRI (Command Cyber Readiness Inspection) / CSIP (Cyber Security Inspection Process)
SCM in a Virtualized Environment: Develop SCM capabilities for non-persistent and persistent IT virtualization environments Hypervisor Virtual Desktop Environment Streaming Application Server
14
UNCLASSIFIED
UNCLASSIFIED
• FY12– Completed Combined Baseline
Criteria for Mobile Device Manager (MDM)
– MDM Tool Qualitative Market Analysis– Policy and Configuration Guidance
Market Analysis– CONOP for SCM in Mobile
Environment– MDM Security Capability Assessment– MDM-SCAP Middleware Application
SCM in Mobility PROGRESS & Way Forward
FY13Market Analysis of MDM / MASCOTS Tool Evaluation and Testing (MDM/MAS)Standards development for mobile assessment (OVAL)Standards-based compliance scanning of mobile devicesIntegration with TNC conceptsDynamic Policy Generation (Supports BYOD)Integration of MDM with Continuous Monitoring Solution
15
UNCLASSIFIED
UNCLASSIFIED
• FY12– Work with NIST on Remediation
standard development (CRE & ERI)– Work with SPAWAR on the
development of the SPAWAR Remediation Tool
Automated Remediation PROGRESS & Way Forward
FY13Aggregated automated remediation requirementsAutomated Remediation CONOPMarket Analysis and evaluation of Remediation COTS tools Support further refinement of Remediation standardsCreate Remediation content to support automated remediationRefine STIG and IAVM automated remediation approachIntegrate Remediation Content into DISA Digital Policy Management SystemRemediation Event Management capabilitySupport Proof of Concept of Automated Remediation course of action
16
UNCLASSIFIED
UNCLASSIFIED
• FY12– OCIL Content for Windows 7– Lessons Learned for OCIL reference
implementation– Input to OCIL 2.0 standard– Pilot with Telos tool using OCIL
Automated human sensor PROGRESS & Way Forward
FY13Market Analysis of current COTS tools that leverage the OCIL data standardCONOP for OCIL to support C&A, STIG Compliance, Training, and, CSIP Use CasesDraft requirements for Enterprise OCIL solutionCreate OCIL content to support indentified use cases Provide input to OCIL 3.0 standardPilot for using OCIL for C&A Pilot for using OCIL for CCRI/CSIP Pilot for using OCIL STIG Compliance
SCAP Protocol: OCIL (Open Checklist Interactive Language)
17
UNCLASSIFIED
UNCLASSIFIED
• FY12– Collaborate with DISA and
CYBERCOMMAND to derive test cases for evaluating security of virtual environments
– Procure and Establish Virtualization Pilot Lab
– Configure NSA IT Efficiencies Environment in Lab
– Install current DISA SCM Tools in Lab– Execute test cases to determine
security gaps with current DISA tools– Recommend approaches to resolve
security gaps
SCM in Virtualization PROGRESS & Way Forward
FY13Complete Virtualization Pilot
Final SCM Use Case ExecutionGap Analysis ReportRecommendations Paper for DISA
Hypervisor Scanning CapabilitySTIG/SRGMarket Analysis of ToolsSCAP contentStandards updates (ARF/ASR)Operational Prototype in L:ab
Non-Persistent Desktop Scanning Capability
Approach to scanning non-persistent desktops/templatesMarket Analysis of ToolsOperational Prototype in Lab
18
UNCLASSIFIED
UNCLASSIFIED19
• ACAS• CMRS/PRSM• DPMS
– IAVM Service– VMS STIG Maintenance– Patch Repository– Severity Scoring
• eMASS• ENMLDS• HBSS
– Policy Auditor– OAM– APS– ACCM
• Remediation Manager• VMS
SCM Programs
UNCLASSIFIED
UNCLASSIFIED
What is Digital Policy Management Service?
• Author validated Machine-readable Content• Search for and Modify/Copy already created content
• Content Distribute Capability (Machine-to-Machine (M2M), Versioning)
• Based on signatures; Marines gets Marines signed content, Navy gets Navy signed content, everyone gets Authoritative content
• Collaboration• Content Sharing / Learning (e.g., Patch testing reciprocity)
• Army can share custom content with Navy; Navy can share custom content with Marines; CYBERCOM can share content with everyone
23
UNCLASSIFIED
UNCLASSIFIED
Authoritative Sources of Content
Authoritative sources need to create as well as validate content created by other sources (Army, Navy, etc.). Content validated/signed by the respective Authoritative source should be scored different in the Enterprise Risk Scoring (ERS) capability
• Types of Content:• SCAP Content
• STIG (CCE) (FSO)
• IAVM (FSO & CYBERCOM)
• Malware (MAEC) (CYBERCOM)
• Custom HIPS, AV & other remediation (CYBERCOM)24
UNCLASSIFIED
UNCLASSIFIED
IAVM System Overview
• Automates USCYBERCOM vulnerability scoring and policy generation processes
• Includes CVSS-compliant scoring engine
• Provides real-time interfaces with Symantec DeepSight, NVD, and VMS
• Supports SCAP standards including CVE, CVSS, and CPE
System is live!June 2012
25
UNCLASSIFIED
UNCLASSIFIED
IAVM System CapabilitiesPrimary System Capabilities
PKI authentication & access control
Symantec DeepSight web service data feeds for real-time vulnerability info
Vulnerability analyst workspace/dashboard
Pre-populated IAVM template and workflow
SCAP-compliant CVSS vulnerability scoring engine
Web-based pre-coord collaboration area to capture and track feedback
Enhanced search - ability to search across current and historical IAVMs using multiple parameters
Primary System Capabilities
PKI authentication & access control
Symantec DeepSight web service data feeds for real-time vulnerability info
Vulnerability analyst workspace/dashboard
Pre-populated IAVM template and workflow
SCAP-compliant CVSS vulnerability scoring engine
Web-based pre-coord collaboration area to capture and track feedback
Enhanced search - ability to search across current and historical IAVMs using multiple parameters
27
UNCLASSIFIED
UNCLASSIFIED
QUESTIONS
www.disa.mil/scm
28